Encryption technique is generally divided into two classes: symmetric block cryptographic algorithm and asymmetric block cryptographic algorithm, wherein the symmetric block cryptographic algorithm means that both encryption and decryption use the same key, such encryption technique is widely adopted at present, such as DES (Data Encryption Standard) adopted by the American government is a typical “symmetric” encryption, and the Session Key length thereof is 56 bits. The asymmetric block cryptographic algorithm means that the encryption and the decryption do not use the same key, but generally a “public key” and a “private key” having to be used in pair are provided.
Taking the example of the typical asymmetric block cryptographic algorithm, as shown in FIG. 1, r represents the round number of the current round transformation, p and k represent the round block data and round key respectively, σ and λ represent linear layer transformation in the round, while the unique nonlinear layer transformation γ basically consists of a plurality of Sbox nonlinear transformations. The framework as shown in FIG. 1 is applicable to not only AES (Advanced Encryption Standard), DES and other common symmetric block cryptographic algorithms, but also known or unknown other symmetric block cryptographic algorithms containing the nonlinear Sbox framework.
Cryptanalysis is an important branch of cryptography, the typical cryptanalysis usually does not consider the specific implementation of a crypto system, but discovers the key information or unsafe factor in the crypto system by means of mathematical reasoning, statistical analysis, high performance computing, provable safety ways. These analysis methods include differential analysis, linear analysis, correlation key analysis, algebraic analysis, linear approximation, difficult problem solving and reduction proof, etc.
But in practice, the crypto system is generally achieved by hardware or software in the form of the hardware, such as smart card, RFID (Radio Frequency Identification), cryptographic coprocessor, SoC (System on Chip) cryptographic chip, and cryptographic machine, etc. In achieving environment of these crypto systems, an attacker can make a “black box” inquiry, and also obtain the hardware structure and encoding implementation of the algorithm through reverse engineering, microprobing technology and other means, and can observe and measure cryptographic transformation running time, energy consumption, electromagnetic radiation and other information, or can even “intervene” the normal operation of the cryptographic transformation to make it wrong. The attacker who makes use of the additional information is possible to achieve cryptographic breaking more effectively than the “black box attack”. People call the attack under such environment as “Side Channel Attack”. Thanks to the efficient attack performance, the international academia, industry and various national governments have paid high attention to and concerned on the Side Channel Attack, which has become one of the most rapid directions developed in the field of cryptanalysis and cryptographic engineering.
The DPA is the most widely used method for SCA, the key in the cryptographic equipment can be restored from a power curve formed by recording the block encryption or decryption operation of a number of different data by the cryptographic equipment. The DPA uses the plurality of power curves to analyze the energy consumption condition of the equipment at a fixed time by making uses of the data dependence of the energy consumption of the cryptographic equipment, and the energy consumption is deemed as a function of the processed data.
The DPA attack is implemented on the basis that the power consumption of the cryptographic equipment depends on the intermediate value of the cryptographic algorithm executed by the equipment. Therefore, if such attack is attempted to defend, the dependence needs to be reduced or even eliminated. Two common defending methods are provided: concealing and masking.
The concealing strategy is to eliminate the correlation between the power consumption of the cryptographic equipment and the intermediate value of the operation during the process of the equipment. The goal can be achieved in two ways of: first, building the cryptographic equipment in a special way to randomize the power consumption, which means that the power consumption of the equipment at each clock cycle is randomly distributed; and second, enabling the equipment to have the same power consumption on all operations and all operands, i.e., the equipment has equal power consumption in each clock cycle.
The core idea of the masking technique is that: at the beginning of the calculation, first, some random masks are used to carry out masking operation on the information and the key, and all subsequent operations are almost the same as the conventional calculation process; however, in the last few steps of certain particular steps, for example, at the end of some round encryption transformation, or at the end of the linear operation in the calculation process, the value of the mask must be known, so as to restore the expected data value at the end of the calculations.
However, in the above-mentioned strategies, the unique true table look-up operation is masked by using a lot of redundant false table look-up operations to improve the safety in the nonlinear operation represented by the Sbox table look-up operation, which is inevitable to pay more expenses on the area resource. In addition, the safety is improved by using additive and multiplicative random mask factors and the transformation operation among different polarity number fields in the nonlinear operation represented by the Sbox table look-up operation, which also cause great increase in the cost of the area resource, so as not to be conducive to achieving the encryption processing device and method capable of defending the DPA attack in a resource-constrained environment.